Skip to content
Naked Security Naked Security

Cryptojacking – coming to a server-laptop-phone near you (and how to stop it)

Cryptomining apps were banned from the Play Store some time ago - but that hasn't stopped the crooks getting cryptojackers past Google...

If you’ve heard of cryptocurrency – and who hasn’t these days? – you’ve probably heard of “the blockchain”.
Technically, of course, the phrase the blockchain refers to any number of different blockchains – each cryptocurrency typically has its own – and we use the word in much the same way that we talk about “the weather” or “the automobile”.
Simply put, a blockchain is a digital list – an electronic ledger or transaction record, if you like – that is maintained by a community of volunteers, using cryptographic algorithms to make the ledger itself immune, or at least very highly resistant, to tampering by hackers.
A secure, community-created ledger like a blockchain doesn’t need a central authority to maintain it, because the community does that job, and it doesn’t rely any one service provider to keep it backed up securely, because everyone in the community has their own copy of it and can check it for tampering any time they like.
Blockchains, therefore, are ideal for decentralised, unregulated, largely anonymous digital cash systems such as Bitcoin and Monero.

There are a couple of catches, though.
Because the blockchain relies on consensus to decide which transactions to lock in and which to reject, you need sufficiently many community members, and sufficient diversity, that no one person or cartel controls more than 50% of the community’s decision-making power.
At the same time, you need a decision-making system that means it’s only worth participating if you play by the rules, so that any fractious minority will find it computationally too expensive to try to vandalise the system with bogus transactions that take time and effort for the majority to identify and reject.

In most blockchains, the validation algorithm is therefore deliberately designed to make it time-consuming to come up with a genuine transaction confirmation.
Usually, trillions or quadrillions of computationally expensive cryptographic calculations are needed, meaning that there are no algorithmic shortcuts – it’s all down to how much computing power you have, and how much you are willing to spend on electricity (and airconditioning!) to run your cryptocurrency computers.
To pay back the “volunteers” who perform these potentially expensive calculations, anyone who successfully confirms a new transaction – or block of transactions, thus the name blockchain – is rewarded in some way, for example via a processing fee that slices off a fraction of each of the transactions in the block and remits it to the solver as a commission payment.
Because the calculations require you to do loads of cryptographic computations, and because the rewards come from value that is essentially “dug out” of the transactions that you confirm, this process is known in the jargon as cryptomining.
You can see where this is going.

When hijacking meets mining

If I’m a cybercrook and I can hijack your computer by implanting malware, I can use your CPU for my cryptomining.
Simply put, you pay for the electricity (and you get to fry eggs on your computer, because cryptomining is hot work for your processor), while I get to steal any cryptocurrency earned by your CPU.
Combine the phrases “cryptomining” and “computer hijacking” and you get the portmanteau word cryptojacking.
Cryptocurrency values have fallen since the start of 2018 – bitcoins, for example, are down from about $20,000 each to somewhere between $6000 and $7000 – but that hasn’t been enough to make cryptojacking attacks dry up.
After all, from a cybercrook’s point of view, it’s as good as free money, so there are plenty of criminals still willing to devote themselves to cryptojacking.
There are two main way that cryptojacking is carried out these days:

  • Sneak dedicated cryptomining software into your network and leave it running all the time. Servers are especially at risk here: the crooks love them because they’re usually more powerful than desktops and laptops, and they’re usually running 24/7.
  • Sneak JavaScript cryptomining software into hacked web pages so that your browser mines for currency as you surf the web. The crooks get much less out of each victim – as soon as you leave the poisoned website, the mining stops – but a single hacked site could end up cryptojacking millions of visitors each day, whatever operating system they’re using.

As cyberthreats go, cryptojacking is often considered the best of a bad lot, given that it doesn’t try to plunder your confidential data, capture your passwords, map out your network, or violate your customers’ privacy.
In fact, it’s this data-neutral aspect of cryptojacking that makes it work even inside the sandbox of a web browser, because the cryptomining code doesn’t need to read files, log keystrokes or snoop on network traffic – all it needs is CPU power…
…and plenty of it.

Sadly, even mobile phones aren’t immune from cryptojacking, despite the fact that they’re usually less powerful than laptops (and a lot less powerful than servers) and in sleep mode most of the time.
As we mentioned above, even if the crooks extract no more than a few cents of ill-gotten gains a day, it’s as good as free money; it all adds up; and it’s not their phone battery that’s getting cooked or their battery that’s getting hammered.
Worse still, even sticking to Google Play isn’t a guarantee of avoiding apps with hidden cryptojacking features.
SophosLabs recently found a whole raft of disguised cryptojackers still available for download, even though Google itself banned cryptomining from the Play Store back in July 2018,
The apps passed themsleves off as games, utilities and educational apps, but their main purpose was to make money behind your back.

What to do?

Usually, we urge Naked Security readers to avoid Android malware by sticking to the Play Store, but that’s clearly not enough on its own.
So, whatever sort of device – phone, netbook, laptop, server – you’re looking to protect from cryptojackers, consider the following:

  • Use an anti-virus that blocks both dangerous content and risky websites. Browser-based cryptojacking relies on pulling down mining code from an external web server every time you browse, so blocking known cryptojacking sites stops the malicious JavaScript arriving in the first place.
  • Watch out for unexpected CPU load. You pay an opportunity cost for cryptomining because it typically makes your laptop runs as though it’s 10 years out of date. On a Mac, click the battery icon to see apps Using Significant Energy; on Windows, use Ctrl+Shift+Esc to bring up Task Manager.


Paul, are there any specific apps, services, or even file names we should watch out for?
(being over creative here) Maybe we can make a task that watches for that, when it finds it, does a pid to netstat command, and tosses the IP into a black list. Or for more fun, flood them with corrupt/fake files to put a wrench in their software… okay, I’ll put the keyboard down now.


The problem with looking out for filenames is that for permanently installed malware exectuables the name is trivial to change (the crooks can just rename the file each time), and for browser-based malware the “offending” program is your browser!


“we urge Naked Security readers to avoid Android malware by sticking to the Play Store” … if they don’t find their happiness on fdroid


I have Sophos Home on both Pcs and Sophos Mobile on our phones. Is this enough or do we need a virus remover as well.


Both those products can handle detection, blocking and removal.
If you want to be sure, to be sure, we also have a free, standalone Virus Removal Tool – you can run it alongside any other anti-virus, so you don’t need to uninstall the other product first. If you think you current anti-virus missed something the Virus Removal Tool can help you find it and clean it up. (Windows only.)


Great article! I’m trying to learn more about blockchain and security and there’s one bit I don’t get. Blockchain users are supposed to validate transactions to make the cryptocurrency system tamper proof. Is it not possible for those users to tell when the mining is coming from cryptojacking? Isn’t that a flaw? If any crook can just “crowdsource” the power they need through hijacking, seems to me like they are beating the cryptocurrency system. I’m not a techie so apologies is it’s an obvious question. I understand why a common user won’t want to be hijacked, but trying to figure out why it is possible/profitable in the first place. Do you have any insights?


Thing is, a blockchain is meant to be a cryptographically strong, distributeda d essentially anonymous ledger that “locks in” transactions for the community at large.
Whether the person doing the calculations intended to do them or not, the end result – a tamper-proof, official ledger entry, is is equally strong cryptographically. Whoever did the work gets the reward, and it’s not the purpose of the ledger itself to decide whether that work relied on stolen resources or not.
If the blockchain also had to solve the problem of identifying each cryptographic solver before accepting each result, the operator of each cryptocurrency would essentially become a “central authority” for its blockchain – but cryptocurrencies are supposed to have no central regulator.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!